Creating a VPN between a Cisco ASA and vCloud Air

In preparation for an upcoming project with my resident Code Monkey, I decided it was time to link the lab to my vCloud Air instance using a VPN. However as GUI access to the firewalls are disabled in the lab, the on-premises configuration will have to be done using the CLI.

In the following example I assume you have configured a default routed network on vCloud Air, and have also deployed an Edge Gateway.

vCloud Air

In this example, I am using the following details (substitute accordingly):

Public IP: 92.246.244.211

Local network: 192.168.109.24/24

Peer network: 10.10.10.0/24

Connect to your vCloud Air instance and select Gateways. You should have already assigned a public IP:

Click Manage in vCloud Director.

An Edge Gateway should already be defined. Right-click and select Edge Gateway Services…

Click on the VPN tab.

Check the box Enable VPN and click Public IPs…

Type the public IP shown into the box and click OK.

In the Configure Services: gateway box, click Add…

Type a name in the Name box, and select a remote network from the Establish VPN to drop-down box.

Click to select the local network, and then type the network address of your on-premises network in CIDR notation in the Peer Networks box.

In the Local ID box, type the public IP of your Edge Gateway (in my case 92.246.244.211):

In the Peer ID box, type the public IP of your firewall (in my case a Cisco ASA). Type the same IP address in the Peer IP box.

Finally, click the Show key box and make a copy of the pre-shared key.

Click OK, and then OK again. If configured correctly, the settings should look like:

Note: I have blanked out my peer ID and IP for security reasons.

Cisco ASA configuration

In this example, I am using the following details (substitute accordingly):

Local network: 10.10.10.0/24

Peer network: 192.168.109.0/24

Access the ASA’s command line interface. Enter configuration mode, create objects for the local (on-prem) and remote (vCloud Air) networks and an access list for the traffic:

3 thoughts on “Creating a VPN between a Cisco ASA and vCloud Air”

Nice article, I remember struggling with this a year ago when I implemented vCA at the company I work for. I’d be interested to see what it would look like with VPN failover – i.e. I have two ISPs on site and setting up vpn failover between both of those ISPs to vCA. I haven’t figured that part out yet.

However, i have a scenario, my customer wants to create redundant VPN, like we do in Cisco ASA. So, they have two internet links on their end, Say internet A and Internet B. They connect to us. Say Internet C. So they want to create a Single VPN between A to C and if in case A to C goes down, then Tunnel B to C should come up.
Some thing like in ASA – Crypto map X peer A.A.A.A B.B.B.B to be configured on internet C.
C is a Edge Firewall with IPsec Services enabled.
Any suggestions how can we achieve that?